From: Herve Eychenne <rv@wallfire.org>
To: Harald Welte <laforge@netfilter.org>, Patrick Schaaf <bof@bof.de>,
Netfilter Developers <netfilter-devel@lists.netfilter.org>,
Roberto Nibali <ratz@tac.ch>
Subject: Re: possible issues with blowing up struct ipt_log_info
Date: Mon, 4 Jul 2005 00:05:25 +0200 [thread overview]
Message-ID: <20050703220525.GA3331@eychenne.org> (raw)
In-Reply-To: <20050703123650.GW3186@sunbeam.de.gnumonks.org>
On Sun, Jul 03, 2005 at 02:36:50PM +0200, Harald Welte wrote:
> On Wed, Jun 29, 2005 at 06:09:23PM +0200, Herve Eychenne wrote:
> > On Wed, Jun 29, 2005 at 05:40:49PM +0200, Patrick Schaaf wrote:
> >
> > > > My question is, if anyone sees any problems with this, regarding performance
> > > > degradation on 32bit boxes or with caching problems?
> >
> > > The problem is compatibility with older versions of the LOG target,
> > > both Userlevel (iptables .so module), and Kernel.
> >
> > > You can either make this a new target, or look how the versioning
> > > infrastructure discussed here some months ago, worked out. (I don't
> > > know; maybe there's already a HOWTO, or you want to write one :)
> >
> > I remember saying here that it would be cool to have the log prefix length
> > tunable at kernel LOG module insertion, have it exported (read-only) to some
> > /proc entry, and have userspace (iptables, or any other upper-level
> > application) rely on the real-time extracted value.
> I really don't think that this is worth the complexity...
Trying to insert potentially many LOG rules to empirically determine
the maximum prefix length is far less complex, that's for sure. ;-)
For now, that's the only way an upper-level tool will produce valid
LOG rules in all cases.
Probably many of you won't care, but for this kind of upper-layers
(which I'm particularly concerned with) netfilter/iptables sometimes
makes it hard to turn "should work" into "will work".
That LOG thing is only one example, though probably not the best.
> I also don't really like using out-of-band interfaces such as /proc
> to determine how to communicate rules via {get,set}sockopt()
Maybe you don't like /proc, but the kernel still has to provide a way
to inform userspace about the fixed size of some of its data (as
kernelspace doesn't like dynamic things very much...). If you see a
better way, that's ok, but the need is still there.
Herve
--
_
(°= Hervé Eychenne
//)
v_/_ WallFire project: http://www.wallfire.org/
next prev parent reply other threads:[~2005-07-03 22:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-29 15:37 possible issues with blowing up struct ipt_log_info Roberto Nibali
2005-06-29 15:40 ` Patrick Schaaf
2005-06-29 16:08 ` Roberto Nibali
2005-06-29 16:09 ` Herve Eychenne
2005-07-01 7:08 ` Roberto Nibali
2005-07-03 12:36 ` Harald Welte
2005-07-03 22:05 ` Herve Eychenne [this message]
2005-07-04 5:55 ` Patrick Schaaf
2005-07-04 8:20 ` Roberto Nibali
2005-07-04 8:59 ` Harald Welte
2005-07-04 9:26 ` Roberto Nibali
2005-07-04 9:53 ` Harald Welte
2005-07-04 10:13 ` Roberto Nibali
2005-07-04 10:08 ` Herve Eychenne
2005-07-04 10:48 ` Roberto Nibali
2005-07-04 11:21 ` Herve Eychenne
2005-07-04 9:23 ` Herve Eychenne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050703220525.GA3331@eychenne.org \
--to=rv@wallfire.org \
--cc=bof@bof.de \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=ratz@tac.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.